52 CHAPTER 4. SECURITY IN ORDINARY OPERATING SYSTEMS Because of the negative permissions, the way that the SRM processes authorization queries is more complicated than in the UNIX case. The main difference is that the ACEs in an ACL are ordered, and the ACEs are examined in that order. The SRM searches the ACEs until it finds a set of ACEs that permits the operation or a single ACE that denies the operation. If an ACE grants the necessary operations 7 , then the request is authorized. However, if a deny ACE is encountered that includes one of the requested operations, then the entire request is denied. Example 4.3. Returning to Example 4.2 above, the ACEs of the object’s ACL are ordered as shown in Figure 4.1. Note that the ACE field for access rights is really a bitmap, but we list the operations to simplify understanding. Further, we specify the process tokens for two processes, P1 and P2. Below, we show the authorization results for a set of queries by these processes for the target object. P1, read: ok P1, read, write: no P2: read: ok P2: read, write: no Both P1 and P2 can read the target object, but neither can write the object. P1 cannot write the object because the P1 token include Group1 which matches the deny ACE for writing. P2 cannot write the object because the ACE for Bob does not permit writing. Mediation in Windows is determined by a set of object managers. Rather than a monolithic set of system calls to access homogeneous objects i.e., files in UNIX, each object type in Windows has an object manager that implements the functions of that type. While the Windows object managers all run in the kernel, the object managers are independent entities. This can be advantageous from a modularity perspective, but the fact that object managers may extend the system presents some challenges for mediation. We need to know that each new object manager mediates all operations and determines the rights for those operations correctly. There is no process for ensuring this in Windows. In Windows, the trusted computing base consists of all system services and processing running as a trusted user identity, such as Administrator 8 . Windows provides a setuid-like mechanism for invoking Windows Services that run at a predefined privilege, at least sufficient to support all clients. Thus, vulnerabilities in such services would lead to system compromise. Further, the ease of software installation and complexity of the discretionary Windows access control model often result in users running as Administrator. In this case, any user program would be able to take control of the system. This is often a problem on Windows systems. With the release of Windows Vista, the Windows model is extended to prevent programs downloaded from the Internet from 7 It may take multiple ACEs to grant all the requested operations, so this refers to the ACE that grants whatever remaining operations were requested. 8 In addition, these services and processes may further depend on non-Administrator processes, which would make the system TCB even less secure.